On Mon, Jun 29, 2009 at 10:16 AM, Mertens, Bram <mertensb@xxxxxxxxxxxx>wrote: > I'd like to elaborate on this a bit. > > The intention of sudo is to allow specific users to execute specific > commands while keeping the root account locked down. In addition sudo > provides a trace of which user executed which command in /var/log/secure > that can be used for auditing. > > The sudoers file should allow as little as possible to as few users as > possible! > > If you allow users to execute sudo su - with or without having to enter > the root password you gain nothing. While working as root no actions > are logged and all log files can be edited to remove any trace of > "illegal" actions. > > The same applies for sudo bash, this will grant the user full shell > access without logging. > > Another example is sudo vi(m): from within vi the user can execute any > command without any kind of logging. > > As for reading the log files: have a look at ACLs, configuring that > allows you to grant read access to log files to a specific user or group > of users. > > Kind regards > > Bram > > > > > > Mazda Motor Logistics Europe NV, Blaasveldstraat 162, B-2830 Willebroek > VAT BE 0406.024.281, RPR Mechelen, ING 310-0092504-52, IBAN : BE64 3100 > 0925 0452, SWIFT : BBRUBEBB > > -----Original Message----- > > From: redhat-list-bounces@xxxxxxxxxx [mailto:redhat-list- > > bounces@xxxxxxxxxx] On Behalf Of Marti, Rob > > Sent: maandag 22 juni 2009 21:01 > > To: General Red Hat Linux discussion list > > Subject: RE: SUDO > > > > IME it may be a "real pain" to sudo view every log, but for any time > > you need accountability, you should either sudo view all logs, or > > change who owns log files (IE create a log group and give group read > > access to them). Once you switch to root there's no "reliable" > logging > > of whats going on. > > > > Allowing sudo su - (implied root) is a bad idea, imo. > > > > Rob Marti > > ________________________________________ > > From: redhat-list-bounces@xxxxxxxxxx [redhat-list-bounces@xxxxxxxxxx] > > On Behalf Of mark [m.roth2006@xxxxxxx] > > Sent: Monday, June 22, 2009 13:27 > > To: General Red Hat Linux discussion list > > Subject: Re: SUDO > > > > Hike wrote: > > > Why? > > > > > > If the user knows the root password, there is no need. > > > > Ok, let me explain further. We're not talking home systems, we're > > talking > > corporate. And no, *not* everyone knows the root password. In fact, > > using sudo > > su - means they do not have to know it. > > > > > > If sudo is cofigured correctly, there is no need to "su - root" > since > > > the user can already run the needed commands. > > > > That depends. Some users - presumably admins - can be configured to > > allowed to > > run only certain commands. Others may need less limited use, and it > can > > be a > > lot easier if they can get to root; for example, when I'm going to > look > > at > > logs, and only root can read them, or even look in some directories > > under > > /var/log, it's a *real* pain to sudo view every single log. > > > > > > "man sodu" should explain how to configure sudo and the locatio of > > the > > > configuration file. > > > > > > Did you stop to think that you might not be permitted to do this > with > > > sudo or that the "sudo su - root" may need to be defined in the > > > configuatio file or that the entire su command mat need to be > quoted, > > > etc. So that sudo would understsnd? > > > > The original poster did say they thought they'd configured it > > correctly, > > implying - this may not be the case - that they did have access to do > > this. > > > > mark > > > > > > On Jun 22, 2009, at 1:27 PM, Matias Nicolas > > <matiasnicolas@xxxxxxxxxx> > > > wrote: > > > > > >> > > >> I know that sudo is for running commands with root privileges but > > this > > >> idea is about typing "sudo su -" and use one's password and not > > root's. > > >> > > >> > > >> > > >> That's all... > > >> > > >>> Date: Mon, 22 Jun 2009 12:14:41 -0500 > > >>> From: m.roth2006@xxxxxxx > > >>> To: redhat-list@xxxxxxxxxx > > >>> Subject: Re: SUDO > > >>> > > >>> Hike wrote: > > >>>> If you have the root password, try the following. > > >>>> > > >>>> $ su - root > > >>>> > > >>>> When prompted, enter the root password. > > >>>> > > >>>> sudo is to permit regular users to run priviledged commands. What > > you > > >>>> are trying td is overly complex and redundant. > > >>>> > > >>> Not necessarily. A lot of places want more security, and locking > > down > > >>> root. > > >>> > > >>> mark > > >>> > > >>> -- > > >>> redhat-list mailing list > > >>> unsubscribe mailto:redhat-list- > > request@xxxxxxxxxx?subject=unsubscribe > > >>> https://www.redhat.com/mailman/listinfo/redhat-list > > >> > > >> _________________________________________________________________ > > >> Show them the way! Add maps and directions to your party invites. > > >> http://www.microsoft.com/windows/windowslive/products/events.aspx-- > > >> redhat-list mailing list > > >> unsubscribe mailto:redhat-list- > > request@xxxxxxxxxx?subject=unsubscribe > > >> https://www.redhat.com/mailman/listinfo/redhat-list > > > > > > > -- > > redhat-list mailing list > > unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe > > https://www.redhat.com/mailman/listinfo/redhat-list > > > > -- > > redhat-list mailing list > > unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe > > https://www.redhat.com/mailman/listinfo/redhat-list > > -- > redhat-list mailing list > unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe > https://www.redhat.com/mailman/listinfo/redhat-list > the op wants to hack the system and gain resources he has no authorization for. -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
